FreeRadius TOTP authenticate fail passcode validation

João Miguel Regateiro jmregateiro at gmail.com
Fri Jun 23 11:38:39 UTC 2023


Hi there,



Thanks for the previous response. Now I came across with two different
problems, the first is with building the rlm_totp module and the second is
during decoding the totp secret.



I was able to get the correct totp and authenticate successfully even
though the make totp returned some errors. The passcode was indeed
incorrect because the module was generating the totp based on the system
time. I changed the mods-available/date and set utc=yes and that fixed the
problem (that was a misconfiguration on Universal Time vs System Time).


I tried to build the rlm_totp (make totp) and got the following errors on
undefined references ("fr_hmac_sha1" and "fr_digest_cmp"):



rlm_totp.c: In function ‘main’:

rlm_totp.c:336:44: warning: format ‘%llu’ expects argument of type ‘long
long unsigned int *’, but argument 3 has type ‘uint64_t *’ {aka ‘long
unsigned int *’} [-Wformat=]

  336 |                 (void) sscanf(argv[2], "%llu", &now);

      |                                         ~~~^   ~~~~

      |                                            |   |

      |                                            |   uint64_t * {aka long
unsigned int *}

      |                                            long long unsigned int *

      |                                         %lu

At top level:

rlm_totp.c:50:32: warning: ‘method_env’ defined but not used
[-Wunused-const-variable=]

   50 | static const call_method_env_t method_env = {

      |                                ^~~~~~~~~~

/bin/ld: /tmp/cccE8qoD.o: in function `totp_cmp':

/home/mfa/freeradius-server/src/modules/rlm_totp/rlm_totp.c:209: undefined
reference to `fr_hmac_sha1'

/bin/ld: /home/mfa/freeradius-server/src/modules/rlm_totp/rlm_totp.c:229:
undefined reference to `fr_digest_cmp'

collect2: error: ld returned 1 exit status

make: *** [Makefile:25: totp] Error 1



 ------------------------------------------------------------------------------------------



In the last email I was using a standard shared secret just for testing
purposes but my TOTP generator creates a 56 characters secret so I am using
that and getting this message - “totp: TOTP-Secret cannot be decoded”. I’ve
tried smaller secrets and it is always able to decode the secret which made
me wonder if you have any restrictions on the secret length?



Secret: 3R4VOYWSOR3YWEVRX74HRVXYXLMACQN3A457C24GS2OYG7EINHMBPQZO

Base32 encoded:
GNJDIVSPLFLVGT2SGNMVORKWKJMDONCIKJLFQWKYJRGUCQ2RJYZUCNBVG5BTENCHKMZE6WKHG5CUSTSIJVBFAUK2J4======



Fri Jun 23 11:42:00 2023 : Info: Ready to process requests

Fri Jun 23 11:42:04 2023 : Debug: (2) Received Access-Request Id 192 from
10.56.143.110:59496 to 10.56.143.110:1812 length 73

Fri Jun 23 11:42:04 2023 : Debug: (2)   User-Name = "bob"

Fri Jun 23 11:42:04 2023 : Debug: (2)   User-Password = "testing123123456"

Fri Jun 23 11:42:04 2023 : Debug: (2)   NAS-IP-Address = 10.56.143.110

Fri Jun 23 11:42:04 2023 : Debug: (2)   NAS-Port = 1812

Fri Jun 23 11:42:04 2023 : Debug: (2)   Message-Authenticator =
0x7641368bcad58c3250dd31f0e46e76d4

Fri Jun 23 11:42:04 2023 : Debug: (2) session-state: No State attribute

Fri Jun 23 11:42:04 2023 : Debug: (2) # Executing section authorize from
file /etc/raddb/sites-enabled/default

Fri Jun 23 11:42:04 2023 : Debug: (2)   authorize {

Fri Jun 23 11:42:04 2023 : Debug: (2)     modsingle[authorize]: calling
files (rlm_files)

Fri Jun 23 11:42:04 2023 : Debug: (2) files: users: Matched entry bob at
line 1

Fri Jun 23 11:42:04 2023 : Debug: Hello %{User-Name}

Fri Jun 23 11:42:04 2023 : Debug: Parsed xlat tree:

Fri Jun 23 11:42:04 2023 : Debug: literal --> Hello

Fri Jun 23 11:42:04 2023 : Debug: attribute --> User-Name

Fri Jun 23 11:42:04 2023 : Debug: literal -->

Fri Jun 23 11:42:04 2023 : Debug: (2) files: EXPAND Hello %{User-Name}

Fri Jun 23 11:42:04 2023 : Debug: (2) files:    --> Hello bob

Fri Jun 23 11:42:04 2023 : Debug: (2)     modsingle[authorize]: returned
from files (rlm_files)

Fri Jun 23 11:42:04 2023 : Debug: (2)     [files] = ok

Fri Jun 23 11:42:04 2023 : Debug: (2)     if (User-Password !~
/^(.*)([0-9]{6})$/) {

Fri Jun 23 11:42:04 2023 : Debug: (2)     if (User-Password !~
/^(.*)([0-9]{6})$/)  -> FALSE

Fri Jun 23 11:42:04 2023 : Debug: (2)     update request {

Fri Jun 23 11:42:04 2023 : Debug: (2)       EXPAND %{1}

Fri Jun 23 11:42:04 2023 : Debug: (2)          --> testing123

Fri Jun 23 11:42:04 2023 : Debug: (2)       User-Password := testing123

Fri Jun 23 11:42:04 2023 : Debug: (2)       Overwriting value
"testing123123456" with "testing123"

Fri Jun 23 11:42:04 2023 : Debug: (2)       EXPAND %{2}

Fri Jun 23 11:42:04 2023 : Debug: (2)          --> 123456

Fri Jun 23 11:42:04 2023 : Debug: (2)       TOTP-Password := 123456

Fri Jun 23 11:42:04 2023 : Debug: (2)     } # update request = noop

Fri Jun 23 11:42:04 2023 : Debug: (2)     if (&User-Name == "bob") {

Fri Jun 23 11:42:04 2023 : Debug: (2)     if (&User-Name == "bob")  -> TRUE

Fri Jun 23 11:42:04 2023 : Debug: (2)     if (&User-Name == "bob")  {

Fri Jun 23 11:42:04 2023 : Debug: (2)       update control {

Fri Jun 23 11:42:04 2023 : Debug: (2)         TOTP-Secret :=
GNJDIVSPLFLVGT2SGNMVORKWKJMDONCIKJLFQWKYJRGUCQ2RJYZUCNBVG5BTENCHKMZE6WKHG5CUSTSIJVBFAUK2J4======

Fri Jun 23 11:42:04 2023 : Debug: (2)       } # update control = noop

Fri Jun 23 11:42:04 2023 : Debug: (2)     } # if (&User-Name == "bob")  =
noop

Fri Jun 23 11:42:04 2023 : Debug: (2)     modsingle[authenticate]: calling
totp (rlm_totp)

Fri Jun 23 11:42:04 2023 : Debug: (2) totp: TOTP-Secret cannot be decoded

Fri Jun 23 11:42:04 2023 : Debug: (2)     modsingle[authenticate]: returned
from totp (rlm_totp)

Fri Jun 23 11:42:04 2023 : Debug: (2)     [totp.authenticate] = fail

Fri Jun 23 11:42:04 2023 : Debug: (2)   } # authorize = fail

Fri Jun 23 11:42:04 2023 : Debug: (2) Using Post-Auth-Type Reject

Fri Jun 23 11:42:04 2023 : Debug: (2) Post-Auth-Type sub-section not
found.  Ignoring.

Fri Jun 23 11:42:04 2023 : Debug: (2) # Executing group from file
/etc/raddb/sites-enabled/default

Fri Jun 23 11:42:04 2023 : Debug: (2) Delaying response for 1.000000 seconds

Fri Jun 23 11:42:04 2023 : Debug: Waking up in 0.3 seconds.

Fri Jun 23 11:42:04 2023 : Debug: Waking up in 0.6 seconds.

Fri Jun 23 11:42:05 2023 : Debug: (2) Sending delayed response

Fri Jun 23 11:42:05 2023 : Debug: (2) Sent Access-Reject Id 192 from
10.56.143.110:1812 to 10.56.143.110:59496 length 32

Fri Jun 23 11:42:05 2023 : Debug: (2)   Reply-Message = "Hello bob "

Fri Jun 23 11:42:05 2023 : Debug: Waking up in 3.9 seconds.

Fri Jun 23 11:42:09 2023 : Debug: (2) Cleaning up request packet ID 192
with timestamp +32 due to cleanup_delay was reached

Fri Jun 23 11:42:09 2023 : Info: Ready to process requests



Thank you!



Best regards,

Miguel

luis teixeira <luis.carlosteixeira at outlook.com> escreveu no dia sexta,
23/06/2023 à(s) 12:19:

>
>
> ------------------------------
> *De:* Freeradius-Users <freeradius-users-bounces+luis.carlosteixeira=
> hotmail.com at lists.freeradius.org> em nome de Alan DeKok <
> aland at deployingradius.com>
> *Enviado:* 20 de junho de 2023 14:50
> *Para:* FreeRadius users mailing list <
> freeradius-users at lists.freeradius.org>
> *Assunto:* Re: FreeRadius TOTP authenticate fail passcode validation
>
> On Jun 20, 2023, at 5:06 AM, João Miguel Regateiro <jmregateiro at gmail.com>
> wrote:,
> >
> >
> > I am working on a TOTP authentication method setup with FreeRadius. For
> > starters I created the user “bob” on raddb/users and defined a password
> to
> > authenticate against the server
> > I have got it to work with just normal user and password but when I try
> to
> > configure the TOTP module and testing using radiusd -X it shows the
> > totp.authenticate the return fail. I have made sure that the date time is
> > the same UTC +00 on all the environments, and generate the TOTP token
> with
> > sha-1, 6 digits code and 30seconds time frame. [Generate token in base
> 32 =
> > JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token =
> > JBSWY3DPEHPK3PXP ]
>
>   If it fails, then the short answer is that the TOTP doesn't match.
> There isn't really much else which can go wrong.
>
>   I've pushed changes to the v3.2.x branch which let you do "radiusd -Xx",
> and the totp module will now print out the TOTP it expected, and the one it
> received.  You'll have to download and build v3.2.x in order to use it,
> though.
>
>   You can also build a command-line program to test the TOTP.  Build the
> source as normal, and then do:
>
> $ cd src/modules/rlm_totp
> $ make totp
>
>   And then can use the above key:
>
> $ ./totp totp 1687268891 JBSWY3DPEHPK3PXP 601664
> Time 1687268891
> Expected 601664
> Received 601664
>
> or:
>
> $ ./totp totp now JBSWY3DPEHPK3PXP 123456
> Time 1687269000
> Expected 895298
> Received 123456
> Fail
>
>   My guess is that the TOTP you're giving it is wrong.  But increased
> debug output will let you know exactly what's going on.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7C%7Cf46cd98ca17c4ef169ba08db7195572b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638228658450629048%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9vLOgvmLQ1DVvPAHn7ydnXCtcGU%2FdCkguoTBd0Oas0Y%3D&reserved=0
> <http://www.freeradius.org/list/users.html>
>


More information about the Freeradius-Users mailing list